Welcome to my information security blog. I hope the information I publish and comments I provide can offer some insight, for better or worse, into current industry trends, technologies, and innovations.
One of the purposes for this blog is to encourage creative and constructive dialogue, so feel free to comment. If you do, please provide your name.
If you have any feedback or would like to contact me offline, don't hesitate to email me: mike[@]cloppert[.]org

2008-09-22

I will be participating in a Defense Industrial Base / Law Enforcement / Dept of Defense panel at the SANS WhatWorks Summit in Forensics and Incident Response. The topic, broadly, will be "How are government agencies and contractors responding to large scale intrusions successfully?" Even if you don't do work with or for the government, I would encourage you to attend if you happen to be at the summit. The DoD, and by extension their contractors, see the bleeding edge of new offensive techniques, often years before other commercial sectors. Law enforcement organizations, naturally, become involved and bear witness to the same. If you're interested in how large organizations defend themselves against and respond to attacks that you will likely be seeing in the future, this will hopefully be a good session to attend.

The panel spots will be filled by decision-makers and technical staff alike, from large DIB contractors to DC3 to the FBI.

2008-09-18

No matter what lengths you go to, sometimes it's impossible to prevent identity theft. Countrywide recently disclosed that 2 million of its mortgage customers may have had their identities stolen - one of which was likely me.

Now, I've always been very paranoid about who does and doesn't get what from me, with the perhaps-naive hope that this would at least mitigate the risk. I consider myself to be well educated on the topic. But in the back of my mind, I always knew I was at risk - after all, I worked at a financial institution for years. I saw just how secure it was, and by proxy the data of its customers.

When companies such as these - whose data helps define our identities - can't secure their systems, absolutely anyone can be a victim. This is why stronger legislation and repercussions are necessary for violations: they are the only thing that will force companies' hands in taking these issues, which the public is utterly defenseless on, seriously.

2008-09-03

I'm a very big - nay, a huge t-shirt fan. I'll admit, I even subscribe to a t-shirt blog. If I attended meetings, it'd be an illness.

Threadless is a tee site I'm particularly fond of. While browsing their seemingly bottomless vault of shirts for sale, I came across this one. It hit home for a number of reasons.

Over the past few weeks I've struggled with the problem of visualizing a massive amount of data relating to some security incidents. This has proven a worthy endeavor not only in illustrating causality that isn't apparent in the raw data itself, but also in communicating to management various parts of the "story," letting them draw their own conclusions. I'll hopefully get to writing about a couple of techniques (no data, naturally) that have been particularly helpful in the coming weeks.

In a number of cases, the approaches I've taken have failed, most due to "over-dimensionality;" trying to cram too many variables into the diagram. What resulted was cool, but required far too much explanation - much like the visualization in this picture. The data itself in this case is likely meaningless, but it's a good example of what can result when analysts are overly ambitious in attempting to communicate findings. It's easy to do. When we understand all of the data we have, thanks to many long hours of study and analysis, we feel every detail is important because we understand its contribution. But in telling the story, guiding readers to a conclusion, or illustrating causality, many times it is necessary to gloss over detail that can be spoken to or revealed if additional questions arise.

I've found that studying Tufte's literature has been a great help in improving my skills in visualization throughout the course of this calendar year, and while I appreciated this skill before, I now realize how critical it is to this profession. I'd encourage everyone in InfoSec to find a way to sharpen their skills in data visualization. It will pay dividends in your career you didn't expect.

With special thanks to my boss for initially inspiring me to investigate this topic more thoroughly.

About Me

I have been employed in various information technology fields since 1997, and in information security since 2001. I have an undergrad degree in Computer Engineering from the University of Dayton, received various industry certifications (GCIA, GREM, GCFA, etc.), and am currently pursuing a MS in Computer Science from George Washington University. I have lectured on various information security topics to IEEE, internal organization-wide IT conferences, and the annual Department of Defense Cybercrime Convention. My international work experience consists of training on general information security topics and IDS design/implementation onsite in Egypt, Israel, and India, as well as providing incident response assistance in the Far East. I have been a contributing editor to incident response procedures for two major organizations, and have been involved in digital forensic investigations since 2001. Currently, my work consists of security-related research and development, covering topics from vulnerability and exploit reverse engineering to implementation of security technologies, as well as digital forensics for an enterprise Computer Incident Response Team.